Missing auto generated WAN rules for site to site IPsec using CARP address

Started by nzkiwi68, April 10, 2021, 11:08:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 10, 2021, 11:08:08 PM
21.1.4
Trying to make a site to site IPSEC tunnel from a HA opnSense cluster using the CARP address to a single opnSense fw.

Remote site, single fw: VPN: IPsec: Status Overview
I noticed the Stats the Bytes out was counting up but never any Bytes in.

HA clustered fw: VPN: IPsec: Status Overview
I noticed the Stats the Bytes in and out was zero.

That got me thinking that the ESP traffic was getting dropped and then I discovered that on the HA site;
GUI> Firewall: Rules: WAN

The Automatically generated rules had nothing for the IPsec tunnel that had the CARP address set in P1. If I changed P1 from the CARP address to the actual WAN interface IP, then the auto rules get created.

Looks like a bug with CARP and IPSEC.

Could that be why the tunnel got created but no traffic would pass?
April 11, 2021, 07:59:36 PM #1
Until I added my own manual WAN allow IPSEC rules, the tunnel would not work.

Interestingly, I can lock down the the remote IP address for the ISAKMP and NAT-T but the allow ESP rule had to be from any to work, locking down ESP to be from a specific IP address did not work.
April 11, 2021, 09:13:50 PM #2 Last Edit: April 11, 2021, 09:49:14 PM by nzkiwi68
ok, I give up!

I can sort of from time to time get it to go by writing my own in and out WAN firewall rules, but, boy are they unreliable.

I am convinced that the CARP address attached to the WAN is mostly (or only occasionally) matching my inbound firewall rules of destination "this firewall" or when I write the exact CARP IP address.

I say that because it's just so hit and miss to get it work.

We really need this looked at;
* binding the CARP address
* WAN auto IPSEC allow firewall rules when using a CARP address in your firewall P1
April 11, 2021, 09:48:06 PM #3
Phew, found my issue for unreliable CARP WAN IP.

I'm replacing a pair of pfSense HA firewalls and I have the opnSense firewalls setup on the same LAN and WAN with different IP addresses.

But!
I did clash when creating the opnSense CARP addresses, I used the same vhid numbers (starting from 1 you see) and I didn't think about vhid 1 and 2 already in use by pfSense.

One to watch out for...

...The auto WAN IPsec firewall rules missing and not getting created are still an issue when using CARP.
Print
Go Up Pages1
User actions